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Abstract 

We present an extension of the first proof for the unconditional security of the BB84 quantum 
key distribution protocol which was given by Mayers. We remove the constraint that a perfect 
BB84 quantum source is required and the proof given here covers a range of practical quantum 
sources. Nothing is assumed about the detector except that the efficiency with which signals 
are detected is basis independent. 

1 Introduction 

This paper presents an extension of the first proof for the unconditional security of a quantum key 
distribution protocol, which was given by Mayers in |15j . The proof given here applies to a more 
general class of quantum sources than the perfect single photon source analyzed in |15| and now 
covers a range of practical quantum key distribution schemes. 

The goal of any key distribution system is to allow two participants, typically called Alice and 
Bob, who initially share no information, to share a secret random key at the end of the procedure. 
This secret key could then be used by both Alice and Bob to encrypt messages they wish to send to 
each other through an insecure public channel they do not trust, so that anybody who intercepts the 
encrypted message will learn nothing about the original message. There are many methods available 
to encrypt messages, but they all require that Alice and Bob share a private key. As an example 
we mention the classic Vernon one-time pad encryption scheme, which requires Alice and Bob to 
share a private bit-string k of length n to encrypt a message m containing n bits. Alice computes 
the encrypted message m! via m'[i] = m[i] © k[i] and sends ml to Bob, who finds m by computing 
m'[i] © k[i\. An eavesdropper who intercepts the encrypted message ml but has no information on 
the private key k will learn practically nothing about the message m. 

If Alice and Bob agree to physically meet before exchanging any secret messages, it is of course 
very easy for them to generate and share a secret bit-string. However, in the current information 
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society in which there are millions of participants who wish to communicate in a private manner, 
it is very impractical if not impossible for every pair of parties to meet and exchange keys. One 
requires key distribution protocols in which all communication between Alice and Bob is public and 
can be monitored by a potential eavesdropper Eve. However, after the protocol has terminated, Eve 
should know practically nothing about the key which Alice and Bob share. At the moment, there 
are a number of classical key distribution systems which accomplish this task, but they are only 
secure by virtue of the limited amount of computational power available to Eve. The classic RSA 
cryptosystem for example relies upon the fact that it is extremely difficult to factorize products of 
two very large prime numbers. The goal of a quantum key distribution system is to provide users 
the comforting idea that the security of the system depends merely on the laws of nature and not 
on the unknown capabilities of adversaries. With the possible rise of quantum computers which can 
factorize numbers in polynomial time, it can be argued that this is not merely a theoretical issue. 

A typical quantum key distribution protocol requires Alice to be in possession of a quantum 
source and Bob to have a detection unit, which can perform some sort of measurement on the 
quantum states Alice sends. In the BB84 protocol, which was proposed by Bennett and Brassard 
PP, Alice's source should be able to produce photons linearly polarized at angles of exactly 0, -|, 
~ and ^p. Alice chooses secretly and randomly a string of basis-bits a G {+, x}™ and a string of 
key-bits g € {0, 1}" = F'!, 1 • For every index i, Alice's source produces a photon polarized at g[i]^ if 
the corresponding basis bit was + and a photon polarized at ~ + if the corresponding basis bit 
was x. Bob also chooses a secret string of basis bits b € {+, x}" and measures the polarization of 
each photon sent by Alice in the + basis or the x basis, depending on b. In this way he determines 
a secret bit-string h which reflects the outcome of his measurements. The key observation is that 
if Bob and Alice share the same basis-bit for some photon, then g and h will agree, while if their 
basis-bits differ, Bob will measure a zero or a one with equal probability. By comparing their choice 
of basis a and b after the photon transmissions Alice and Bob can thus decide where g and h agree 
and use this information to define a secret key. Any potential eavesdropper Eve who intercepts 
the photons Alice sends to Bob has no information on the basis a Alice is using and thus cannot 
conclusively decide on Alice's key-bits g by performing measurements on the photons. Even worse, if 
she wishes to remain undetected, she must resend a photon to Bob, which in general will destroy the 
correlation between g and h. Intuitively, Alice and Bob can thus detect Eve with a large probability 
of success by randomly choosing half of the exchanged photons where their bases a and b agree and 
revealing their key-bits g and h for these photons. If there are too many errors they should abort 
the protocol, because Eve may know too much, while if the number of errors is small Eve knows 
nearly nothing and a key can safely be defined using the remaining part of the photons. 

The protocol we consider is a minor variant of the BB84 protocol. Since the introduction of 
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this protocol in 1984, a great deal of effort has been spent in order to prove that this protocol is 
secure against any attack by Eve allowed by the laws of quantum physics. Many limited attacks 
were analyzed [flED El HI EH ED El EH > but it was only in 1996 that Mayers provided the first proof of 
unconditional security [THJ. By now, Mayers argument has been followed up by other proofs of the 
security of ideal single-photon quantum key distribution |71 \17\. In particular, in |17| the authors 
relate the BB84 protocol to an entanglement purification protocol and give a conceptually simple 
security proof. 

We note here that unconditional security only means that there is no restriction on Eve's attack. 
It thus does not mean that there is no condition on the apparatus used by Alice and Bob and it is 
exactly this point that distinguishes the different security proofs now available. The major advantage 
of the framework used in the Mayers proof is that it assumes nearly nothing about the detector Bob 
uses, as opposed to e.g. the proof in [T7], which requires an ideal detector together with an ideal 
source. Here the term ideal means that the equipment performs exactly as specified by the protocol. 
In [TU] a slight extension of the argument in [T7] is used to analyze slight deviations from the ideal 
source and detector, but there are still explicit assumptions on the source, channel and detector. 
The weakness of the original Mayers proof is the assumption that the source emits perfectly aligned 
photons at a rate of exactly one per pulse. In practice, perfect single photon sources are not available 
and practical implementations use either dim laser pulses or post-selected states from parametric 
downconversion. Unfortunately, both signal types contain multi-photon contributions which might 
seriously compromise the security of quantum key distribution. In addition, there is always a slight 
spread in the polarization axes of the emitted photons. 

In [TT], Mayers argument is extended to include multi-photon sources and it is shown that 
the security of BB84 is maintained if the fraction of pulses that contain more than one photon is 
sufficiently small. This paper deals with the issue of the imperfect polarization, by showing that 
the BB84 protocol remains secure if the deviation from the perfect source is small, in a sense which 
we will make exact. We do not cover the multi-photon situation, but we believe that it is merely 
a technicality to apply a similar extension of the type in |11| to the proof given here. Our proof 
follows closely the lines of [03 and makes use of the ideas contained therein. 

This paper is organized as follows. In Section [3 we define the variant of the BB84 protocol we 
will analyze. Section [3] introduces the notion of a quasiperfect source and discusses some practical 
types of quantum sources that are included by this definition. We provide exact definitions for the 
concepts of privacy and security against tampering in Section [|] and use these definitions to state 
our main theorems. The technical proofs of these theorems will be given in Section 
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2 The Protocol 



In this section we define the variant of Bennett and Brassard's BB84 protocol we shall analyze. Alice 
and Bob first together specify a number of parameters, then the quantum transmissions take place 
and finally a classical negotiation is performed to define the key. 

We employ a so-called randomizing box in the protocol, which is assumed to act independently 
of Alice and Bob and whose functioning is trusted by both Alice and Bob. In particular, we shall 
assume that Eve cannot get at the information in the box before it is announced and Eve cannot 
intercept the announcement of the basis-bit to Bob in step ( |QT5| ). The presence of this box is merely 
a technical convenience in the proof and poses no real restriction on the protocol, since the box may 
simply be taken to be Bob's computer. If Alice does not trust Bob's computer, she should not be 
exchanging a secret key with him in the first place. 

The protocol requires that Alice is in possession of a quantum source which, given a basis-bit 
a € {0, 1} and a key-bit g £ {0, 1}, produces some quantum state p 9 a , which need not necessarily 
be pure. Alice should also be able to send this quantum state to Bob along some quantum channel 
which is vulnerable to attack. In Section0|we shall introduce the constraints on the quantum source 
and pre-agreement parameters which are necessary in order for the protocol to be private. However, 
we shall assume nothing about the quantum channel or the measurement performed by Bob, except 
that Bob's detector efficiency is basis-independent. Of course, if the key distribution system is to 
be practical in a sense that Alice and Bob often share a key at the end of the protocol, both Bob's 
equipment and the quantum channel will have to be adequate. The beauty of Mayers argument ^H] 
is that these two issues of privacy and usefulness are cleanly separated from each other. 

Pre-agreement 

Alice and Bob together specify the following operating parameters. 
PI. The length m of the private key to be generated. 
P2. The threshold 6-p > for the error rate of the validation test. 

P3. The number of bits n > m which should be used for the validation test and for the key 
definition. 

P4. A positive constant e^r such that iVtotai = [(4 + ejv)n] is the number of quantum signals to be 
exchanged, where \x] denotes the smallest integer which is at least as large as x, 

P5. A security parameter e > 0, which directly determines the asymptotic security level of the 
protocol. 
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P6. A r x n binary parity check matrix F for some integer 1 < r < n and a m x n binary privacy 
amplification matrix K . See Appendix [5] for more information on parity check matrices. 

Quantum Transmission 

Alice and Bob repeatedly perform the following procedure, until the number of successfully ex- 
changed photons is A^otai- 

QT1. Alice chooses randomly a basis-bit a and a key-bit g. 
QT2. Alice announces to Bob that she is about to send a signal. 
QT3. Alice prepares the state p 9 a and sends it to Bob. 
QT4. Alice announces the signal has been sent. 

QT5. Bob requests a basis-bit b from the box if the previous one has been used. If Bob receives 
a signal, he performs a measurement on the received state, giving a value h. He informs 
Alice that the photon has been received and the number of successfully exchanged photons is 
incremented by one. If Bob does not receive a signal, he announces this and does nothing, 
retaining the basis-bit for future use. 

Classical Negotiation 

Alice and Bob go through the following steps and checks. If one of the checks is not passed, the 
protocol is aborted and Alice chooses her key k randomly from F™ in such a way that each k € F™ 
has equal probability to be chosen. 

CI. The randomizing box announces Bob's basis b G F^ total and a random set R containing AT to tai/2 
positions, which will be used for the verification test. 

C2. Bob announces h[R}. 

C3. The random box announces a permutation 7r of the iVtotal elements. 

C4. Alice announces her basis a € F^ total and Alice and Bob calculate the set fl = {i | a[i] = b[i}} 
on which their bases agree. 

C5. Alice and Bob check that the number of positions in R on which Alice and Bob's basis agree 
is at least n and that the same holds for R = {i | i ^ R}. 

C6. Let S-p be the set that contains the first n positions in flD R, where first refers to the ordering 
which results after applying the permutation it. Alice announces <?[5V>]- 
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C7. Alice and Bob check that the number of differences ds v between h and g on S-p satisfies 
ds v < |_<^P n J > "where \x\ denotes the largest integer y satisfying y < x. 

C8. Let Sic be the set that contains the first n positions in fi fl R, where first again refers to 
the ordering which results after applying the permutation tt. Alice announces the syndrome 
s = Fg[Sic] and defines the key k = Kg[Stc\- 

C9. Bob applies error correction to his bits h[Stc] using the syndrome s to get h'[S)c] and defines 
the key Kb = Kh'[Sic]. See Appendix iBl for details on error correction. 

3 The source 

In the BB84 protocol one requires a source with takes as input a basis-bit a and a key-bit g and 
produces a state p 9 over some finite dimensional Hilbert space Hq. We shall prove the security of 
BB84 for a special class of sources which we call quasiperfect sources. In this section we introduce 
and discuss this notion, which is defined formally below. 

Definition 3.1. A source which emits quantum states {Pa}a=o'i over some finite Hilbert space Hq 
is called quasiperfect with parameters (f3 qp ,jq P ) if there exist projection matrices P 9 and P 9 for 
a = 0,1 and g = 0,1, such that the following conditions hold. 

51. P a ° + Pi = P a ° + Pi - 1 Hq for a = 0,1. 

52. We have the identity p° + Po = Pi + Pi an d correspondingly define H = p[j + Po- 

53. Tr ps H = 1 for a = 0, 1 and g = 0, 1. 

54. There exist unitary T a such that T^PgT = P 9 for a = 0,1 and g = 0,1. In addition, 
TlHT a = H for a = 0, 1. 

55. P°H?l = 0, for a = 0,1. 

56. Pi&Pi = PlplPZ, for a = 0, 1 and g = 0, 1. 

57. There exist unitary S a such that SlP^S a and S\p 9 a S a are diagonal for a = 0,1 and g = 0,1. 
In particular, this means that P% and p 9 a commute. 

58. Tr POpl < (3 qp for a = 0, 1 and g = 0, 1. 

59. Letting A 9 be the set of eigenvalues of the Hermitian matrix P 9 H — P 9 H and defining = 
J2\eA B I'M' we nave ^ g a < Iqv f° r a = 0, 1 and g = 0, 1. 

□ 
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The following lemma states some elementary properties of a quasiperfect source which follow 
directly from the definitions given above. 

Lemma 3.1. Consider a quasiperfect source with the corresponding matrices P% , P% and H and let 
A 9 be defined as in fS9\) . Then the following identities hold for all a = 0, 1 and g = 0, 1. 

TrPy a =TrPy a , (1) 
A°=Al 



Proof. The first identity follows immediately from properties (|S2|) and l|S5(l . The last two identities 
follow immediately from (|52"j) and (|^T|) . □ 

In order to give some insight on the practical value of the above rather technical definition of 
a quasiperfect source, we give two examples of such a source. In particular, we show that our 
definition encompasses the ideal single-photon source analyzed in the Mayers proof ^5] and we give 
a nontrivial example which is very important for practical key distribution schemes. 

We recall that an ideal BB84 source emits the states p 9 a = \^(a, g)) (^>(a, g)\ with 



*(0,0)= I , *(0,1)= [ (2) 







*(l,0) = -= , , ¥(1,1) = -= I. (3) 



and 



n / 1 \ , n 

Defining / = and I = I2 — I , we sec that 

V ; 

pi=I*, pl=R(^PR(^), (4) 

for g — 0, 1, where R(a) is the unitary rotation matrix with angle a. 

It is easy to see that this ideal source is also quasiperfect with parameters (0,0), by taking 
P g a = Pi = Pi, So = 1 and Si = i?(-f ). 

We now give the nontrivial example of a quasiperfect source which can be seen as a generalization 
of the ideal BB84 source. To do this, we consider probability distributions on the interval [0,27r]. If 
p is such a distribution, we define the quantities 

s p = j Q 27r p(a) sin 2ada, c p = J Q 21T p(a) cos 2ada, 

(2) r 27T , , . 2/ \j (2) f27r , s 2/ u ^ ' 

s p = J p{a) sin (a)da, c p = J Q p(a) cos (a)da. 
For any angle <ft, we define the shifted distribution p^ by p^{a) = p((a + <ft) mod 2tt) . 
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Theorem 3.2. Consider two probability distributions po(a) and P\(ot) on [0, 2tt] and define the 
angles a — i arctan I 22 - for a = 0, 1. Then the source which produces the states 

P 9 a = / Pa(a)R(a^PR(a)da (6) 



(7) 



is a quasiperfect source with parameters (/3gp, 7qp), where 

a ( ( 2 ) (2) \ 

Pa Pi 

-y qp = min (2 |sin(0i - O - f )| ,2 |sin(0 o - 0i - §)| ). 
Proof. We start by calculating 

R(ayPR(a) = ( ^ C ° S2 a + 5 * Sin2 ° { - 1)9L * Shl2a ) . (8) 
V (— l) 9 ^sin2a S g0 sin 2 a + 8 g \ cos 2 a y 

Now recalling that sin2(a — (f)— sin 2a cos(— 20) + cos 2a sin(— 20), we see that 

s p ^ a = cos(-20 Q )s Pa + sin(-20 a )c Pa = 0, (9) 
by definition of a . This allows us to write 

Pi = fo*P K (a)R(a + 4>aYl 9 R{a + dp a )da = 

R&aV ( C P* a (a)R{a)nm(a)da) P(0 Q ) = 

, S g0 c (2 l +S gl s (2 l 
Wl P " P " (2) x . ( 2 ) I /?, "" ! - 



(10) 



Now notice p° + = p? + p\ = 1 2 = H. Defining Pf - P(0 o )t/ffP(0 o ) and 5 a - fl(-0 o ), 
we immediately see that So simultaneously diagonalizes P% and for a — 0, 1 and g = 0, 1. It is 
also easy to see that Tr P^pS = s J a , which establishes the claim about the parameter p qp . We also 
define 

Pj = i?(0x - \ )tj^(0! - f ), 

pf = i?(f + 00)^(1 + M- 



>4 1 rvj - 

Since 

( 1 (-1) 9 \ / 1 W 1 (-i)» 

V (-1) 9 1 -1 (-!)« 1 



0, (12) 



one immediately verifies (|S6|I by rotating the axis system over — Q . Condition (|S4|) is satisfied if 
one defines To = R(4>i — f — 0o) and ?i = P(? + 0o — 0i). Finally, we calculate 

A a = P(-0 Q )t ( pO _ pO)tf(_0 a) = ( ^) 4 sin2^ \ ^ 

V -fsin2^ -sin (-0 a ) / 
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in which ipo — <fti — (fto — ? and i/'i = — V'o- Since the eigenvalues of A a are ± sm(ip a ), the statement 
in the claim about the parameter "f qp immediately follows using Lemma II if we notice that in the 
definition we could have flipped the sign in front of the angle j . 

□ 

Remark 3.1. // the probability distribution p a is symmetric around some angle a a , then cj) a = a a - 
The theorem shows how the parameters (P qp ,"fq P ) quantify the deviation of a quasiperfect source from 
the ideal BB84 source. 

The theorem above illustrates how a security proof which holds when a quasiperfect source 
with small parameters (f3 qp ,j qp ) is used will significantly generalize the applicability of the original 
Mayers proof and will cover a range of practical quantum key distribution schemes. In particular, 
since it is never possible in real life to perfectly align the polarization of the emitted photons, the 
possibility to allow a small angular spread in these polarization axes is an essential element of a 
practical security proof. We remark here that in Theorem 13.21 we required that the shape of the 
probability distribution which governs the alignment of the photon only depends on the basis-bit 
and not on the key-bit. However, a convenient way to construct a source that satisfies property (|S2I) 
is to introduce an auxiliary system A' with associated Hilbert space Ha'- One then produces an 
entangled state pAA' and performs a measurement M a , which depends only on the basis-bit a, acts 
only on the system A' and has two possible outcomes. If the key-bit g is determined by the outcome 
of the measurement M a , the shape of the probability distribution only depends on the measurement 
M a , which justifies the practicality of our assumption. 

In this framework it is also possible to analyze the situation in which Eve performs a limited 
basis dependent attack, as discussed in JTOf. This situation arises for example when we assume 
that Eve has supplied to Alice the source used for the quantum transmissions. She could then have 
programmed the source to rotate the emitted photon slightly (relative to the ideal source) if the 
corresponding basis bit was a 0. She might even let the source vary the cheating strategy. However, 
as long as Eve does not know during the quantum transmission phase which cheating tactic the 
source is going to apply, it is sufficient to analyze the situation in which the source always emits the 
averaged state p 9 a . We note here that this assumption means that Eve and the source do not share 
any non-constant correlated random variables. This includes among others the absolute time and 
the number of already emitted photons. 

Of course, the issue remains how one can test whether or not a source is quasiperfect and 
estimate the parameters. In |T2], the authors describe the issue of testing uncharacterized quantum 
equipment. They show how to construct a so-called self-checking source which is guaranteed to be a 
perfect BB84 source. However, their arguments assume that some specific probability distribution 
is known exactly, which is of course never the case. We remark that it may be possible to adapt 
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their argument to include quasiperfect sources, but we do not discuss this issue here. 

4 Main results 

In this section we state our main results, which concern the privacy and reliability of the BB84 
protocol we discussed in Section [5] We shall consider the BB84 protocol in which a quasiperfect 
source with parameters (/? 9P ,7 9P ) is used and where in addition the conditions below hold. 

Assumption 4.1. Let A be such that 

_A_ 5p >i e+/v ( i4) 

The minimal weight d w of linear combinations of rows from F and K which contain at least one row 
from K satisfies d w > 2(— !-^<5p + ^j qp + e)n, where the weight of a bit-string v £ F^ is defined to 
be the quantity d(v,0), i.e. the number of ones in v. In addition, the matrix F is the parity check 
matrix of a linear code which can correct \{5-p + e)n] errors. Finally, Bob's detector efficiency is 
basis independent, i.e. the probability that a photon is successfully exchanged between Alice and Bob 
is independent of the basis-bit used by Bob. 

Consider any possible attack by an eavesdropper Eve on the BB84 protocol. In general, Eve will 
record all the classical messages announced by Alice and Bob and perform a number of operations and 
measurements on the quantum states transmitted through the quantum channel, possibly combined 
with measurements on auxiliary systems. Such an auxiliary system could for example be a random 
number generator in order to introduce a certain randomness in the applied eavesdropping tactic. 
After completion of all her operations, Eve will have acquired a vector v of information of some kind, 
which we will consider to be an element in the set V of all possible outcomes of her experiments. 
We will consider the situation in which Eve has a fixed strategy for eavesdropping, that is, if all the 
measurements on the external systems yield the same outcome and all the classical announcements 
by Alice and Bob are the same, then Eve will perform the same operations and measurements on 
the emitted quantum states. In this framework, the eavesdropping tactic employed by Eve defines 
a probability distribution P on the product space F™ x V, where P(k,v) denotes the probability 
that the key defined by Alice is k and the information obtained by Eve is v. If Alice and Bob want 
the key they share at the end of the protocol to remain secret, then for any tactic employed by Eve 
the outcome v should yield very little information about the key k. This measure of correlation is 
conveniently expressed by the Shannon entropy Hp(n \ v), which is defined as 

H p (k \v) = -J2J2 P ^ w ) 1o §2 p ^ I v). (15) 
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Here P(k | v) — P(k, v)/P(v) denotes the conditional probability distribution of k given v. Note that 
in the ideal case the random variables k and v are independent, which means P(k, v) = P(k)P(v) — 
2~ m P(v), since each key k is equally probable. This immediately implies H(k \v) = m. 

Our main result is expressed in the following theorem, which states that, under suitable operating 
conditions, the maximal deviation from the ideal value of the conditional Shannon entropy that Eve 
can achieve decreases exponentially as n increases, even if the rate of key generation m/n is kept at 
a constant level. 

Theorem 4.1. Consider the BB84 protocol in which a quasiperfect source with parameters (/3, 7) is 
used and suppose that the conditions in Assumption ^. l\ hold. Consider any eavesdropping strategy 
that Eve can employ and let V be the set of all possible outcomes of her measurements. Denote by 
P be the associated probability distribution on the space F™ x V for the random variable which gives 
jointly the key kcFj defined by Alice and the information v obtained by Eve. Then there exist two 
functions ei(n, m,e) and N(e), which are both independent of the strategy employed by Eve, such 
that 

Hp(n I v) > to — ei(n, m, e), (16) 

for all n > N(e). Moreover, for any A > 0, there exist constants /z(A, e) > and C(A, e) > 0, such 
that 

< e x (n, m, e) < C(A, e)e~^ x ' e)n (17) 

for all m which satisfy to < An. 

The proof of this theorem will be given in subsequent sections. For the moment, we remark that 
Corollarv lB . 3l implies that the number of rows r of a parity check matrix F which meets the conditions 
in Assumption 14.11 can be chosen to satisfy r/n ~ H2(2(6-p + e)), where A(n) ~ B{n) means 
limn^oc = 1 and H 2 is the binary entropy function H 2 (x) — — (xlog 2 x + (1 — x) log 2 (l — x)). 
In view of this value for r, Lemma's IB.2I and IB.4I imply that we can choose a privacy amplification 
matrix K with to rows that satisfies Assumption 14. l| where 

m/n~l-H 2 (2(5 v + e))-H 2 (2(6 v +[3 qp + ^ qp + ^e)). (18) 

To obtain this expression we have substituted jzrS-p ~ Sj> + \e + (3 qp . We can thus use the BB84 
protocol to generate keys at the asymptotic rate m/n given by 1)18(1 . where the privacy level of 
the protocol increases as n increases. In the case where (3 qp — ^ qv = 0, this means we can choose 
S-p = 5% and still generate key-bits at a rate of m/n « 6.2%. 

We remark here that the rate l(18JI is only a worst-case bound and is far from optimal. In 
particular, if one relaxes the requirement that the error correcting code can correct all errors with 
weight less than (S-p + e)n to the requirement that this can be done with probability exponentially 
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close to one, it is possible to choose r/n ~ H2(S-p + e). Furthermore, in Remark 15. II we conjecture 
that it is possible to improve the third term in l|18|) . which would lead to the bound m/n ~ 1 — 
Hi{jh>) — H-2(S-p + f3 qp + -^Jqp), where we have taken e « 0. 

It still remains to address the issue of the reliability of the BB84 protocol. In the situation that 
all the verification tests succeed and Bob and Alice have both defined a key Kb and k respectively, 
they will need some assurance that they indeed share the same private key. This is guaranteed by 
the following theorem. 

Theorem 4.2. Consider the BB84 protocol in which a quasiperfect source with parameters (/3, 7) is 
used and suppose that the conditions in Assumption ^. l\ hold. Then there exists a function €2(n,e), 
bounded bye2(n,e) < C(e)e~ D ( e ' n for some C(e) > and D(e) > 0, such that for any tactic employed 
by Eve, P(k =/= kb H f ) < £2 {n,e), in which P(k 7^ kb H V) denotes the probability that the keys 
defined by Bob and Alice are not equal while all the verification tests have succeeded. 

Proof. We consider the case where a, b, g, h and S = Sp U «Sx are fixed but where R may still 
vary, that is, we do not know the partition of S into S-p and S/c- We write P' for the conditional 
probability distribution induced by this situation. Since R is uniformly distributed and is only 
announced after Bob has made his measurement to determine h, each partition of S is equally 
probable. Let E — ds(g,h) denote the total number of errors on 5*. The error correcting code 
employed in the protocol can correct \(S-p + e)n] errors, which means the keys defined by Alice and 
Bob will only differ if ds K (g, h) > \(8-p + e)n\ , while the test V only succeeds if ds v (g, h) < L<^P n J ■ 
First suppose that E > 5-pn + (S-p + e)n. Then 

P'(K^ KB nV)<2- E [ )<e- 2 (i) E <e~^+^ n , (19) 

where we have used Corollary I A. 41 with p = i and t = | — > | . Now suppose that E < 

Spn + (Sp + e)n. Then 

P'(n^ kb nV)<2- E (J < e- 2 U(^+i £ )») l E < e ^^^> n , (20) 

where we have used Lemma IA.3I with p = | and t — r( <5 -p+^)"+ 1 l — I > 2 ^ T '^ 2e - ) " . Summing over 
all conditional probabilities J" completes the proof. □ 



5 Proof of Main Result 

In this section, we set out to prove our main result Theorem 14. II To do this, we first introduce two 
new protocols which differ from BB84, but for which it is easier to analyze the attack by Eve. 
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5.1 Reduction 

We shall refer to the first modified protocol as BB84M. It consists of the following modifications to 
the BB84 protocol defined in Section |3 

• Before the quantum transmission, the box announces to Alice through a completely secure 
channel the positions R. 

• In step | |QT5| I, the randomizing box announces the bit b to Bob, defined by b = b if the position 
under consideration is in R and b = b otherwise. 

• In step I|C1|I . the randomizing box announces b for all positions, as usual. 

Note that Bob doesn't know a priori which positions are in R, so during the transmission phase 
he will not know which basis-bit will be announced by the box. The intuitive idea behind this 
modification is that in this situation, Bob has measured in the wrong basis for all the positions in 
Sic and thus has no information about Alice's key. This modified procedure hence does not define a 
key distribution system, but is used only in the proof. In this light, we do not need to worry about 
the practicality of any of these modifications (for example, the private announcement of R by the 
box to Alice). All that is required is that in principle it is possible. The usefulness of this modified 
protocol is established by the following result. 

Proposition 5.1. For any strategy adopted by a potential eavesdropper Eve, the random variable 
giving jointly Alice 's private key and the information gathered by Eve has the same probability dis- 
tribution in both protocols. 

Proof. The only thing that has been changed is the announcement of the basis-bit from the random- 
izing box to Bob, but this cannot be intercepted by Eve due to the assumption on this box. Since 
Alice's choice for a and g are equivalent the emitted states are also equivalent. Since Bob's detec- 
tor efficiency is basis independent, the subsets of photons which are successfully exchanged during 
the quantum transmission phase are equivalent. Also the information announced by Bob and the 
randomizing box is exactly the same, since on R the outcome of Bob's measurement is unmodified. 
Alice does not use the announced string R during the transition phase, so this makes no difference. 
So all the information which could be obtained by Eve, from either the quantum channel or the 
classical announcements, remains completely equivalent and thus the probability distributions are 
equal. □ 

We have seen that it is enough to prove the privacy in the modified protocol BB84M discussed 
above. However, if we can prove privacy in a further modified protocol BB84MM in which Eve 
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receives more information than in the above protocol and can have a larger influence on the an- 
nouncements, then this will immediately also imply privacy of the BB84M protocol and hence the 
original BB84 protocol. 

In particular, we shall consider BB84MM which consists of the following further modifications 
to BB84M. 

• Alice generously announces g(Sjc] in step (|C6J| instead of merely g[Sp]. 

• Eve and Bob work together, that is, Bob tells Eve the announcement of the basis-bit he receives 
from the box and they together perform any measurement they want to determine a vector h. 

• Bob announces the complete vector h before the announcement of R by the box in IClfl . 

The next proposition shows that it is indeed sufficient to prove the privacy of BB84MM against 
all possible attacks. 

Proposition 5.2. Consider any eavesdropping tactic Eve can employ on BB8^M and let P be 
the probability distribution of the resulting random variable which gives jointly Alice's key and the 
information gathered by Eve . Then there is a corresponding eavesdropping tactic on BB84-MM with 
probability distribution P' that satisfies Hp/ < Hp. 

Proof. Notice that for any tactic on BB84M Eve can do exactly the same thing to eavesdrop on 
BB84MM, by letting Bob perform the same measurement as in BB84M to get h. The only difference 
is that now Eve receives more classical information than she did in BB84MM, i.e. v' = (v,c ex t r a), 
where v' is Eve's information in the BB84MM protocol and v denotes the information gathered in 
the BB84M protocol. We compute 

J2iieWf J2vEV P ( K > V ) l0 S2 (J2c cxtra \v P p { (j~'l) P'liZ,v')) = Hp > 

(21) 

in which the inequality follows from Lemma lA.5l Here we have used the notation ^ c t ^ to denote 
the sum over all c ex t ra for which (w, c ex t r a) <= V. 

□ 

Notice that this final reduction makes it possible to consider Eve and Bob as a single participant 
we shall call Eve-Bob, who wishes to find out as much as possible about Alice's key. 

5.2 Formalism 

In this section we describe the formalism used to model Eve-Bob's attack on BB84MM. The system 
seen by Eve-Bob can be seen as a state in a Hilbert space Tt sys — T~tc <8> Hs, where He is a Hilbert 
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space which describes all the classical bit-strings generated during the protocol by Alice and the 
randomizing box and TLs = ^>^{ ta> TLq is the state space for the ensemble of transmitted quantum 
states. We have TLc = span{|c)} c6( 7 for some set C of states which we will define later. Each 
state c G C will correspond to a classical bit-string and since these bit-strings can be perfectly 
distinguished from one another, the corresponding states are all mutually orthogonal. 

Any quantum state in a Hilbert space TL is fully defined by the corresponding density matrix, 
which is a Hermitian linear operator p : TL — > TL that satisfies Tr p — 1 and (a;, px) > for all x G TL. 
For finite dimensional Hilbert spaces such an operator is described by a Hermitian non-negative 
matrix with unit trace. The density matrix p sys for any state in TL sys encountered by Eve-Bob can 
be written in the canonical form 



where V is a subset of C and P is a probability distribution on V, i.e. P(c) > and X) c ev ^( c ) = 1 ■ 
For notational convenience, we define the concept of a measurement operator, which will be used 
to describe measurements on quantum systems. 

Definition 5.1. A measurement operator on a Hilbert space TL is a linear Hermitian operator 



The result of a general measurement on a system described in a Hilbert space TL can be seen 
as an outcome of a random variable q reflecting the measured physical quantity. The probability 
distribution of the outcomes can be described using a positive operator valued measure, defined 
below. 

Definition 5.2. A positive operator valued measure (POVM) on a Hilbert space TL consists of a set 
of outcomes Q together with a set {F q } q£ Q of measurement operators on TL, such that S g eQ = 
1-H- For every outcome q of the measurement, the probability of obtaining that outcome when 
performing the measurement on a system with state p is given by Tr F q p. □ 

We note here that the POVM description can include measurements performed on external 
systems and possible probes attached to the state p. We refer to ^Hl for a general discussion on 
generalized measurements. 

Eve-Bob's attack can be seen as a generalized measurement on the emitted state and thus can 
be described using the POVM formalism. Actually, two measurements are performed: one before 
the classical announcements by Alice and the randomizing box and one after these announcements. 
However, it is technically easier to describe the attack as a single POVM acting on the complete 
state Psys- We will use the restriction that the measurement of h is made before Alice and the box 
make their announcements to derive a constraint on the form of the POVM. To reflect the special 




(22) 



F :TL^TL that satisfies (x, Fx) > for all x G TL. 



□ 
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nature of the classical announcements, we may assume that we can decompose every measurement 
operator on TL sys as a sum of terms H c ® E , where H c is a projection operator which can be 
written as II C = J^ceA l c )( c l f° r some subset A C C and E s is a measurement operator acting on 
the state space Tts of the photons. Now we may always assume for Eve-Bob's POVM that each 
measurement operator consists of a single term, as we can otherwise split the measurement operator 
in multiple operators. This gives more detailed information than the original POVM and hence has 
a lower conditional Shannon entropy, as can be seen from the proof of Proposition ^. 21 

From now on, we will omit the vector sign on bit-strings if the distinction between a bit and a bit- 
string is clear from the context. The set of all classical states is given by C = {(a, g, it, R, s)}, running 
over all possible combinations, noting that the syndrome s is a function of all the other classical 
variables. We consider the string b announced by the box to Eve-Bob to be fixed during our analysis, 
which is why we do not include b as part of the information in C as it can be calculated given R. As 
a further convenient restriction, we assume that the set C contains only those classically generated 
bit-strings that pass the verification test l|C5|l . Since the key chosen by Alice is perfectly uniformly 
distributed if this test fails, it is possible to impose this restriction without loss of generality. 

The classical announcements received by Eve-Bob are y = (a, g[Sic], R, s, it) and we define y to 
be the set of all such announcements y which are possible under the restriction that the test (|C5|) 
passes. The complete view v that Eve-Bob gets from her measurements is given by v — (y,h,j), 
where j describes any additional information Eve-Bob can infer out of her measurements. Thus Eve- 
Bob's attack can be described by a POVM {F v } in which F v = nS , ® . To reflect the fact that 
the measurement of h is also a POVM and occurs without any knowledge of the classical outcomes, 
we may write X^u|/t = ^n c ®E^ for some measurement operator E^, For convenience, we assume 
that the set V is finite, which is a reasonable assumption due to the nature of any measuring device. 
However, it is merely a technical issue to extend the argument given here to infinite sets V, so this 
discussion can be avoided. Without loss of generality, we may also assume that P(v) > for all 
v G V, since any view with P(y) = does not contribute to the conditional Shannon entropy. Finally, 
we need only consider attacks for which P(V) > 0, where V C V is the subset of V which consists 
of all views v which pass the verification test l|C7|) . Indeed, if this condition is not satisfied, the 
protocol is trivially secure since then the key that Alice chooses is independent of her interactions 
with Eve-Bob. We summarize the above discussion by defining the concept of a normalized attack. 

Definition 5.3. An attack by Eve-Bob on the BB84MM protocol is a normalized attack if it can 
be described by a POVM {F v } v£ \> on H sys , for which the following identities hold. 

Nl. Every »eV can be written as v — (y, h,j), for some y £ y and h S F^ 40 *" 1 . 

N2. The set V is finite and P(v) > for all »eV, where P is the probability distribution induced 
by Eve-Bob's attack. In addition, P(V) > 0. 
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N3. For every »eV, the corresponding measurement operator can be decomposed as F v = n^L^ <g> 
E% for some measurement operator on TLs- 

N4. For every h S F^ total , we have Ylvlh^v — \u c ® f° r some measurement operator on 

□ 

The above discussion combined with Propositions l5.ll and l5.2l irnplv that once we have established 
the following result, the proof of Theorem 14 . 1 1 will be complete. 

Theorem 5.3. Consider the BB84MM protocol in which a quasiperfect source with parameters 
(Pqpilqp) is used and suppose that the conditions in Assumption \4- l\ hold. Then there exist a function 
ei(n, m, e) that satisfies equation together with a function N(e), such that for any normalized 

attack on the BB84MM protocol J72J) holds for all n > N(e). 

The next lemma states some very useful properties that the measurement operators satisfy and 
will be used often throughout the proof of Theorem 15.31 

Lemma 5.4. Consider a normalized attack on the BB84MM protocol. For every classical outcome 
y € y, we have J2 V \ V = l"Hs ■ ^ n addition, for every y 6 y and h g F^ total ; we have J2 v \( y h) — 
El- 

Proof. The first identity can easily be seen by noting that for each c 6 C, there is exactly one classical 
outcome y which is compatible. We refer to this outcome as y(c). Each projection matrix is 
diagonal on the |c) basis, so we see that (c|n^|c) = $x,y(c)' But since J2 V ( c \^-y(v) \ c )^v = ^-H S i the 
identity immediately follows, using the fact that every y has at least one compatible c. The second 
identity can be proved similarly using ljN4f> . □ 

It will turn out to be very convenient to consider the view z — (h, a, R, g[R], tt) which gives part 
of the information v gathered by Eve-Bob. We write z c = (a, R, g[R],ir) for the classical part of 
the view z, together with Z and Z c for the set of all possible views z and z c respectively. Upon 
calculating the measurement operator for this partial view, we find 

*i = E^ = E E ^ = E E n>^ = (E^)^^)=nf^^ (z) , (23) 

v\z y\z c v\(y,h(z)) y\z a v\(y ,h(z)) y\z a 

which expresses the nontrivial fact that the measurement operator for any z remains a simple tensor 
product. With similar reasoning as in the proof of Lemma l5.4l we may conclude that for any z c , 

E^) = 1 * S - ( 24 ) 

z\z c 

The following lemma shows how we can reduce a trace over the complete space H. sys into a trace 
which runs merely over the state space for the photons TLs- 
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Lemma 5.5. Consider a density matrix p sys of a state in TL sys = TLc ® T~ts °f the form 

Psys = ^P(C)| C )(C| ® Pc , (25) 

where p c is a density matrix of a state in Tis and P is a probability distribution on V . Consider a 
measurement operator of the form 

^ =(]>>) ( C |)®F S , ( 26 ) 

where A C V . Then for any linear operators W 1 and W 2 acting on Tig, we have 

Tr Hsvs {FW^sysW 2 ) = P{A)Tv Hs ^'W 1 p sySjA W 2 ), (27) 
where p sys ,A is given by l^ s /Trl^ s if P(A) — and otherwise by 

Psys,A = j^Y,P(c)p c . (28) 

Proof. We have 

Tv(FW 1 p sys W 2 )= J2 E P{c')^{\c){c\c')(c'\)TT{F s W 1 p c W 2 ) (29) 

c inA e'E V 

Noticing Tr (\c)(c\c')(c'\) — 6 CC /, we see that the above expression reduces to 

P(c)Tt (F s W 1 p c W 2 ) = Tr {F s W l ^ P{c)p c W 2 ). (30) 

c£A c£A 

From this the claim immediately follows. □ 

Let us consider the setting described in Theorem 15. 31 We define the function g(n,e) — e _e2 ™ + 
e~5 c ™ ; which vanishes exponentially as n increases. For any integer N and any two bitstrings 
b,w £ ¥2 we introduce the notation P~ = ®f = i Pu^- We also define, for any z £ Z and any 
constant ec > 0, the projection operator no(;z,e£) via 

n (z,e c )= J2 P f> ( 31 ) 

where W(z,ec) — {w £ F^ total | ds K (w, h(z)) > (jz^S-p + \"i qp + tc) n }, m which A is defined by 
(I14|l . Using the above definitions, we introduce the subset of views C ec cPcV, defined by 

C e/ ,={v£V\ Tr [F v U {z, ££)pn (z, e c )] < y/g(n,e)P(v)} . (32) 

In |15| . views v £ C were said to satisfy the small sphere property. Our approach to proving Theorem 
15 .31 will be to decompose the state emitted by the source via p — ((flo + (1 — flo)) p(llo + (1 — IIo)) and 
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correspondingly split the expression P(k,v) — Tr F KjV p. For views which satisfy the small sphere 
property we shall use the fact that Tt F K _ v U pHo is small to bound the differences P(ki,v) — P(k2, v), 
which proves that v does not yield a significant amount of information on the key k. The following 
proposition roughly says that almost every view v € V satisfies the small sphere property, which 
makes it reasonable to assume that views which do not possess this property do not pose a large 
security threat. 

Proposition 5.6. Consider the BB84-MM protocol in which a quasiperfect source with parameters 
(/3q P ,"fqp) is used and suppose that the conditions in Assumption ^. 1\ hold. Consider any normalized 
attack by Eve-Bob on BB84-MM and let P be the associated probability distribution. Then P{C t ) > 



P{V) - Vdijhe)- 

Proof. We consider a slight variant of BB84MM, consisting of the following modifications. 

• For each position in R, Alice's source produces p a instead of p a . 

• For each position in R, Alice applies the unitary transformation T^pT a to the photon, which 
makes it diagonal in the P a measurement basis. 

• Alice performs a measurement on each photon before sending it to Eve-Bob. For each position 
i in R, Alice measures in the P a {{\ basis, while for each position in R, Alice measures in the 
Pa[i] basis. Alice records the results as gr for future reference. 

Let p' denote the state emitted by the source in this modified protocol and write P' for the probability 
distribution defined by Eve-Bob's attack on this modified protocol. For convenience, we define 
8 = j^x- Without loss of generality, we shall assume that the first Nt ° tal positions belong to R and 
the second jVt ° tal positions belong to R. We write vt = (a, R, <?r) for the results received by Alice 
and let Vr be the set of all possible results Alice can receive. We can then model the measurement 
of Alice as a POVM 

{n„ T =nC R ®P(a,R,g T [R])P(a,R,g T {R])} , (33) 

in which 

P(a,R,g T [R}) = <g)& taI P^ 9 

__ s _ (34) 

P(a, R, g r [R]) = 1 ® 

n s 

Notice that in this case, each measurement operator is in fact a projection operator. This allows us 
to compute the state seen by Eve-Bob after Alice's measurement, which is simply rip'n if n is the 
projection operator associated with the outcome received by Alice. 

We now define a test T, which is a function of Eve-Bob's announcement of h and the results 
of Alice's measurement gr- The test T succeeds if the number ds v (h,gr) of differences between h 
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and gq- on S-p satisfies ds v (h, gx) < Sn, while the number of differences ds ic {h 1 g-r) on Sjc satisfies 
dsic(h,gT) > (5 + jlqp + t) n - Formally, we can consider T to be a subset of the combined view 
Z x Vr- Letting T(z) C Vr be the set of Alice's views which pass the test given a value of 2, we 
can write T = [J zeZ z x T(z). We can thus calculate 

p\T) = j2 = £ p '( z i n^p'in^))- (35) 

zez zez 

The interesting thing to note is that if T(z) is true, we know that the state after Alice's measurement 
is given by (Tr</)) _1 where cf> — J2 vt eT(z) ^v T p'^v T - Now note that 

£ n wx =nf )R ®( £ P{a,R,gT[R])P(a,R,^\^))=T^ tR ®U 1 {z)U (z). (36) 

v T eT(z) greg(z) 

in which £(z) = {gr \ ds v (gr, h) < Sn A ds K {gr, h) > (S + \^ qv + e)n} and 

niW= £ if, (37) 

toGWi(z) 

where Wi(z) = {w G F^ total | ds v {w,h(z)) > Sn}. Here we have used that b[i] = a[i] for every 
position i G Sjc and = a[i] for every position i G Sp, together with the completeness condition 

fEB- 

The important observation now is that each emitted photon is diagonal on the basis it is measured 
in, which allows us to write 

£ iWU T = ( £ u VT ) P '( £ n^). (38) 

v T ET(z) v t ET(z) v T eT(z) 

Now define the projection operators Ht(z) and ^t(z) v ^ a Ec T 6T(z) n„ T = lTr( z ) = n^ fl x ® Ilf-, x 
and note that 

II r(z) =Ux(z)U (z). (39) 

Suppose now that Alice announces the result of her measurement gq- on each photon after Eve- 
Bob have announced h. Given the partial outcome of Bob-Eve's measurement h, Eve-Bob can now 
announce a string i? guC ss, defined by i? gueS sH = 1 ffi <7r[*] © h[i], where © denotes addition modulo 
two. Denote by T' C Z x Vr the set of all events such that R gucS s differs from R on Sjc U S-p on at 
most n(l — ^7g P — e) different positions, where we write R[i] = 1 if i G R and = otherwise. 
Then it is the case that T CT', since the total number of differences between -R gue ss and i? for any 
combined view in T is bounded by 

d v {R gucss , R) + d K {R gucss , R)<5n + n(l - (S + --) qp + e)) = n(l - - e). (40) 

Since Eve-Bob has no classical information when measuring h and in particular does not know 
R, a correct announcement for i? guC ss[*] for some position i G S-p U S/c corresponds to a correct 
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distinguishing of the state P? r[i] H from P~ 9t[7] H. Here we have used O) and P? t[{] HP? t[i] = 

b to b[i] b[i] ' ' 6[i] b[i] 

P-j^^i?, together with a similar identity for P, which both follow from l|S4(l . I|S7(I and the fact that 
each emitted photon is diagonal on the basis it is measured in. 

Theorem IA.2l in combination with l|S9(l shows that that the success rate for a correct announce- 
ment of i?g U ess on any < s < 2n positions is bounded from above by + jj qp ) s , since each 
position in Sic U S-p has probability h to be in R. Thus, even if Eve-Bob chooses the optimal 
strategy for determining R gucS s which has success rate p S uc = \ + jlqp, the probability P'(T') that 
dsicus-p{Rgucss, R) < 2n(i — ie — |/3) can be bounded from above by 



P'{T')< Y, ( )rf uc (l-ft U c) 2 "- l <e— , (41) 

2n(i + ie+i/3)<i<2n 



in which we have used Lemma fA.3l with t = i + \e + j/3 — p suc = ^e. We thus obtain P'(T) < 
P'(T') < e" e2 ". 

On the other hand, we can use 1|35[) to compute 

= E ze z( Tr ^ n r(,)P'nr(,)/(Trn T( , )P '))(Trn T(2) p') (42) 

= £ 2 ^TrP 2 n r(z)/ /n r(z) = J2 zeZ Trng ® sf (z) nf (z)P 'nf (z) . 

We can now use Lemma 15.51 to transform the above expression into 

P'(T) = P'(zc)Tr (E s h{z) U s T{z) p' z n s nz) ), (43) 

z£Z 

We remark here that the above expression resembles the definition of C in l|32|l . except for the 
presence of the projection operator Hi. The idea is that for views in V , ilipTli ss p' in some sense, 
since the number of errors on S-p is small. We thus set out to bound the quantity 

A = E Tr ( F M(z)P' u n z) ) - ^n p'n ) . (44) 

zev 

We can use Lemma 15.51 in combination with the expression l|39|) for to explicitly split the sum 

over z £ V and write 



A = E M E ze v* e nv P ( z c)Tr E* (H^p^IIo - U Q p' z n ) , (45) 

where V Zc = {z' e Z \ z' c = z c }. 

From now on, we shall consider z c to be fixed, so we consider each term in the sum above 
individually. Note that z c contains information on the value g for each bit in R. We can thus write p' z 
as a tensor product (possibly after reordering bits) p' R (3p'—, in which p'— = 2~I- R lpf®l- R l . Let a = a(z c ) 
and define the unitary matrix U a which diagonalizes p' z , Ho and EL simultaneously. Such a matrix 
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exists due to our assumptions l|S7|l and l|S4|l on the source, by letting U a — ® fl S a [ k ] Sa[k]T^ k y 
Note that 111 operates only on p' Sv while Ho operates only on p' s . In addition, since U a depends 
only on the classical part of z, we have for any z £ V Zc 



Tr Efl (nifio^niiio - n 0(O ' 2c n 

Tr[^W^ [fl] (l - 



(46) 



Tr ulElu a (nfp'jfnf ® n^n^ 

where everything marked with a superscript d has been diagonalized. 

We now, independently of the non-classical part of z, bound each diagonal element of Hfp^Tlf ( 
HqP^IIq. Without loss (possibly rearrange matrix positions) we shall assume the identities 



d : . ^ a = . w 





= diag« j2 , . . . < dg , . . . , ^ a - diag(/3 a a 1; . . . ■ ■ ■ <«,.)• (48) 

For intuition purposes, we remark that the a values are in general large when compared to the 
values. It is easy to see that (after rearranging), Ilf = ILf s S3 l r est'- Also write p£ = pg ® Prist'- 
We now consider the diagonal D" x D n matrix II a Sp pg Ilf s ^ , where 13 is the dimension of the 
state space for a single photon Hq. Let w be a string in {0, 1, ...D — 1}™ and let e(w) be the 
corresponding w-th diagonal element of pg , that is, 



Similarly, we define p(w) to be the w-th diagonal element of Uf s . Please note that p(w) — 1 if 
and only if ds P (w, h) > 6n. Using the fact that the test V has passed, we know ds v {g, h) < 6-pn = 
(1 — X)5n. Thus using the identity d(w, g) > d(w, h) — d(h, g) > [5 — (1 — X)S)n = XSn, we see that 
if p(w) = 1 we must have ds v {w, g) > XSn. Since this last inequality depends only on the value of 
<?, we obtain the following bound, which only depends on z c , 

n 

p(w)e(w)p(w) < max(0, d Sv {w,g) - XSn) J] (p^ M ) to[t>M = (50) 

i=l 

Now, noting that implies that for any u £ {0, . . . , D— l}^*^ it holds that ^ zgy nV (UlE^U a ) uu < 
1, one derives the inequality 

£ r(z)<Tr^ est ,®p' fi d J] %)= E B H- (51) 

zGl4 c to6{0,l,...-D-l}™ !i>e{0,l,. ..23-1}" 
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Defining V = {(a, b, c, d) € | (a + b + c + d) > XSn} and W = {0, 1, . . .D - 1}™, we compute 



i 9 N 9 —i 9 

£*w = £ U( N J) £ IK- M E ft°<. w (52) 

»w (<8,<J,<;,<i)ev -rg-J v Q 7 ..,4}4 3'=i lu'e^,...,^}^-^ i'=i 

where N% is the number of positions in S-p that have basis-bit a and key-bit g. This can be seen 
by noting that given a choice of distance ds v (w,g) > XSn and a distribution of the errors over 
the different bits, which can occur with J[ a (*^f) possibilities, there are still J\ a (d? a ) l ° (d£) N * ~ %!>a 
compatible strings in w. Summing over the e(w) values for these strings gives the above expression. 
Now notice that for any d, s € N and any set of reals 71, ... 7^, we have 

E IKbi = (E^-) s - ( 53 ) 

w£{l,...,d}° 3=1 3=1 

This can be easily seen by expanding the power. Using this, we obtain 

Z w ewBW = Zao^o^v Ufj )(ESiC) i| E?£i< J ) JV «- i « = 

E ( ,g li x 1 ^, 6 vJ5 i (^ ! (l-AVi-*= (54) 
s=oa 



where V = {(i, j) € Nq | i + j > XSn} and /3 a = Ej=i Pa,j = Ej=i ^j- This was obtained using 
Lemma lA.31 with 



t = X5- max(/3 , A) = — - max ( Tr P oVo, Tr > — - qp > i e , (55) 

where the last inequality follows from the assumption (|14(l . 
Finally, this means we have obtained 

A< P'(z c )e- e2 " = e-^ n (56) 

z c 62 c 

and hence 

TiF z U oP 'U = P'{z c )TrE^liopf Ze n < e~^ n + e~^ n . (57) 

We can now use the fact that since z c contains no information on g[R], p' z = 2~\ R \p' R ® H®\ R \ . 
However this also holds for the state emitted in the real protocol, so we have p Zc = p' z . In addition, 
since the modifications do not influence the choice of g[R], a, R and w, we have P'(g[R], a, R, ir) = 
P(g[R], a, R, tt). This allows us to write 

^TrP 2 n 0(O n = TrF„n 0jO n <. 9 (n,e). (58) 
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We now employ Lemma fA.61 with the probability distribution Pp(v) = P(v | V) — P(v)/P(V) 
on V and q = P(V)g(n, e)~? to conclude that 



p v (C)>i-VgM)/P(v). (59) 

The claim now follows upon multiplying both sides of the above identity by P{V). □ 



Corollary 5.7. Suppose that e d > e. Then P(£ e J > P{V) - yfg(n~e). 

Proof. The proof of Proposition goes through if we replace e by e d everywhere. Since g(n, e d ) < 
g(n, e), we see that 

{v£V\ Tr [F v U (z,e d )pUo{z 7 e d )\ < y/g(e d , n)P(v)} C C, d (60) 



and hence P{C ed ) > 1 — \J g[n, e d ) > 1 — y/ g(n, e), which establishes the claim. □ 

The following proposition will be used to extract the key independent part of the probability 
distribution P(k, v). The assumption (|S6|) on the source plays a crucial role in the proof. 



Proposition 5.8. Consider a BB84 source that is quasiperfect with parameters (f3 qpi "/qp). Let F 
be an arbitrary r x n binary matrix and K be a m x n binary matrix, for some integers m,r and 
n which satisfy < m,r < r + m < n. Define d w to be the minimal weight of linear combinations 
of rows from F and K which contain at least one row from K . Suppose that two arbitrary strings 
b, h € F2 and a constant d" are given, such that d" < \d w . Let X be a measurement operator acting 
on 7ig" such that XPl = for all strings j £ F?? which satisfy d(h,j) > d" . For any n £ F™ and 
s £¥2, define the set 

C K .s = {g £ n \Fg = s and Kg = k} (61) 

and the state 



1 

Then Tr Xp K s 5 is independent of n. 

Proof. It is enough to show that for any two keys K, k' £ F™ and Ap — p K s 5 — p K , s 5, we have 

P'Appi = (63) 
for all strings k, I £ which satisfy d{k, I) < d w . Indeed, assuming this, write 



TrXAp = £ fc E z Tr XPfApPl = E k , im ,i } > dw TrXP^ApPl 

= J2k,i\d(k,i)>d w Tr p l xp b^p- 



(64) 



It can be seen that for every pair of strings k,l £ W% with d(k,l) > d w , either XP b k = or 
P b l X = 0. Indeed, assuming the contrary, then d(k,h) < ^d w and also d(l,h) < -kd w . However 
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d(k,l) < d(k,h) + d(h,l) < d w , which immediately gives a contradiction. This fact now implies 
Tr XAp = 0, which is the claim stated in the lemma. 

We thus set out to show <|t)3|) . Using l|S6() and Lcmma l3.ll we can define the matrices 

< = n pin = n pin (65) 



Pi = PfplPf = -PfplPf- (66) 

rd,e,f 



and 

Pb — 1 b fb± b — 1 b^b + b 

With these definitions, for any four bits b, d, e, f £ F2 we can define the matrix V b a ' e '' 1 by 

yd,e,f = pd p epf = ($)^/(_l)(«te/)e( a *)*B/<W ( 67 ) 

where © denotes addition modulo two. We extend this definition to bit-strings b,d,e,f £ FV; by 
writing V b eJ = ®" =1 yjffl'"M' f M. Since V b ' eJ = (-l) d ®fV b ' e ' f , we obtain the following identity 
for any bit-string e' S F£ 



G = 1 (69) 




Let G be the matrix 



and write x = (k, s) £ ¥ r 2 +m and p x = p K sb . Let C x be the set of g £ which satisfies Gg = x. 
Notice that indeed C x — G K s b and that for every g £ C x , one can write C x — g Co- Defining 
(px)ki = PtPx P% an d fixing any 8 £ C x , we calculate 

In V, — P fc n p ; — 1 y yk,g,l _ 1 y v k,g®6,l _ 
( „ 1)9 .(^)_L_ EgeCo V *,*W,» = (-iJfl-Wpfcpo^ = (-l)»-<*«>(po)«. 

The above identity shows that it is sufficient to compute (po)ki, which we therefore set out to 
do. Write \Cq\ — 2 q , where q is the dimension of Co and let {81, . . . , 8 q } be q linearly independent 
bit-strings which span Co- For < j < q, let be the span of the strings 9\, . . . 8j and p^> = 

P^E sGC «) P(9,b), in which p(g,b) = <8>r=i Pf JJ] • Notice that P iq) = Po and p(°) = p(0,b). We 
shall prove by induction that for all < j < q, the following identity holds 

[ otherwise. 

The j ' = case is trivial in view of the definition of V and the fact that C^ 1 - = F£. Now, 
C-Cj+i) = (7W) u (C7«) © i+1 ), so 

(P (j+1) ) fei = i(p (j) ) fc ;(l + (-l)( fe ®')-^+0- (72) 
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Note that C (j+1 '> 1 - = n {9 j+1 }^. Observe also that if {p [j+1) ) k i ^ 0, we must have that 

k ffi I G C^ 1 - and (fc © Z) • 6> J+ i = mod 2, which precisely means that k © I G C (:, ' +1)± . In this case, 
we see that (p^' +1 ')fcj = {p^')kh which concludes the induction argument. 

Now, using J7UJ), we see that for every 9 G C x , we have (p x )kl = (— (po)ki- Also, every 
string j G Cq can be written as a unique linear combination of rows of G, i.e. there exists a function 
A with X(j) ■ G = j for every j in Cq. We can thus write, using GO = x, 

(p x )ki = (-l) X{miyx (po)ki. (73) 

We are now ready to complete the proof. We know that if d(k, I) = w(k ®l) < d w and k © I G Cq-, 
then we must have by definition of d w that k © I is a sum of rows of F only. This however means 
that X(k © I) ■ (k, s) is independent of k, which immediately establishes the claim. □ 

Remark 5.1. We conjecture that it is possible to generalize the argument above, if we assume 
that the probability of a random linear combination of rows from K and F that contains at least 
one row from K having weight smaller than d w is exponentially small. We should then obtain 
Tr Xp K s 5 = t v + Tj KtV , where t v is independent of n and t] KjV is exponentially small. This result is 
enough to complete the privacy proof in a similar manner as described below. 

For any normalized attack by Eve-Bob on BB84MM, we can calculate the probability distribution 
P(k,v) by considering the POVM which corresponds to the hypothetical scenario in which Alice 
announces her key k after the protocol is completed. Since the key k is revealed only after the 
complete protocol has finished and the measurement performed on the photons thus cannot depend 
on it, this POVM can be seen to satisfy F K ^ V = II^L , K ® E„ . We thus calculate 

P(k,v) = Tv F K v p = P(K,y)TrE^p Kty . (74) 

For ease of notation, we can reorder indices and write Hs = Ti-s ®7~Lg, where Ti^ is the state space 
of all the photons in the set S/c on which the key is defined. We can also split p K ^ y — p^y ® Pv 
correspondingly. We can then use Lemma [A. II to define — Tr n icE^ p K , y , which only depends on 
v, and one can check 

P(K 1 v) = P{K,y)TrEKp£ tV , (75) 

where the trace now runs over Tig. 

For any nonnegative operator X on Tifg and for any y G y and k G F™, wc define the ratio 

Tr X rfi 

r «< x > - W' (76) 

with the convention that r KtV (X) — 1 whenever the expression above is undefined. It is easy to see 
that r K _ y (X) > and 

J2r K , y (X) = 2 m . (77) 
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The following proposition shows that for any view v which satisfies the small sphere property, 
the joint probabilities P(k, v) for all keys K are very similar and hence v does not leak a significant 
amount of information about the key. 

Proposition 5.9. Consider the BB84-MM protocol in which a quasiperfect source with parameters 
(/3gp;7gp) is used and suppose that the conditions in Assumption ^. 1\ hold. Consider any normalized 
attack by Eve-Bob on BB84MM and let P be the associated probability distribution. Let e w be such 
that 7}d w — (j^S-p + \~i qv + e w )n and note that e w > e. Consider any view v in and write 
n = Uq(z, e w ). Then 

P(k, v) = tt v +r/ K . v , (78) 
in which tt v is a constant independent of n and r} KjV is bounded according to 

t)k,v < 2- m P(v)(r K jE^) +r^(n ^n ))/i(n,e), (79) 

where h(n, e) = 2g(n, e)i + g(n, e)^ . 

Proof. Note that due to the fact that the rows of K and F are linearly independent and each value 
of g[S/c] is equally probable, P(k, y) — 2~ m P(y) and J2 K e¥ m P^,v ~ ^ m Py- This gi yes us 

P( K ,v) = 2- m P(y)TrE^pl y . (80) 



Write IIo for 1 — flo . Using the identity 



X = (A + A)X(A + A) = AX A + AX{A + \A) + (A+ \A)XA = 
AX A + AX(I- \A) + (I - \ A)XA = AX A + AX + XA- AX A, 



(81) 



we obtain _ _ 

2 m 7 ^- ) P(K,v) = TrE^Uo^Uo 

+ TrE^U p^ y +TrE^p^ y U (82) 

- Tr^n 0/9 ^flo. 

Proposition 15 . 81 implies that Tr E'^nop^Ilo is independent of k, so we define 



tt v = 2- m P(y)Tr^n p^ lj n , 

r, KtV = 2- m P(y){TTE^h p^ y + Tr^^Ho - Tr ^fiop^So 



(83) 



We now make the decomposition — \4*i v)($l v\' Noting that the first two terms of tJk jV 
are complex conjugates, we obtain 



VK ,v\<2- m P(y) 2E, (C|n o p^|0^) +Tr^nop K , H n ). (84) 
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Since p^ y is a nonnegative hermitian matrix, we may employ the Cauchy-Schwartz inequality to 
write 

Another application of Cauchy-Schwartz yields 



< 



(85) 



(Tr ^go^fio) h (Tr E£p% y ) h , 



(86) 



and thus 



1^1 < 2- m P(y)(TTE^n pl v no)H(^fv^Pl v ^ +2(TrE^pl y )^ = 
2-" l maxK,,(£*),r K ,,(n £^ 

(87) 

We now use the identity P(y)Ti E^p y = Tr F v p = P(v) together with the fact that v € to 
obtain the bound 

IImI < 2- ro (r«,„(£ ,c ) + r s , s (no^So)) (VflMi 5 («))' ((VsM^M) 1 + 2P(^)^) = 
2-™P(v) (r K , y (E K ) + r„ jS (fio^fio)) fan, e)i + g(n, e)*), 

which concludes the proof. 



□ 



We now have all the ingredients which are necessary to complete the privacy proof. 

Proof of Theorem \5., c A Define e w and IIo as in the statement of Proposition ^ . 91 Fix a view «££ f 
and a real number q > 1. For convenience, define 



Note that 



(89) 
(90) 



h-eF.v 



and thus recalling (|77|) 

\P(v)-2 m n v \ < ^ |^| <2- m P(v)h(n,e)( £ o«,„) = 2P(«)ft(n,e). (91) 



k£F" 



k£¥" 



From this we obtain the bound 



P(k I u) - 



P(«) 



P(«,„)- — P( v ) 



< 



L-(\P( K ,v)-ir v \ + 



P(v) 



ir v P(v) 



) ^ 

(92) 
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Recalling that J2 K eVT aK - v = 2 m+1 , we see that the set JC V = {k e F™ | a KtV < 2q} has at least 
elemen 

(k, v) E 1, 



2 m (l - i) elements. Thus defining the set 1 = F£> x \J veCc {v} x /C„ C V, we see that for all 



P(k I v) 



(93) 



Now, since Alice chooses her key uniform randomly when the test V is not passed, we have 



where the inequality was obtained by noting that log 2 p < for all < p < 1 and that ICPx F™. 
Writing P(k \ v) = ^(1+£ K , V ) > 0, where \£ K>V \ < (2q + 2)h(n, e), noting that C(l+x) log 2 (l + a;) < 
C(l + x) for any x > — 1 and using P(I) < 1, we see 

H(k I v) > mP(P) - £ PM(-rn+ (2g + ^"' g) ) = m((P(P) + P(J)) - (2g + ^ e) 



In 2 



(95) 



(k,u)£1 

Using 193fl it is easy to see that 

TO = E v& c cm P(v) E fce x;„ p (« I ") > P (A J(l - |)(1 - (2« + 2)/i(n, e)). (96) 



From the above identity, we conclude 

H(k I v) > m(p(P) + (1 - ±)(1 - (2g + 2)h(n, e)){P(V) - P(Pn£ ( J) 
> m _ a _ ( m + T J_)( 2(Z + 2)/i(n, e) - mP(V R Z e J. 

Now choose g = 



(2q+2)ft(ra,. 
In 2 



(97) 



^7 — i".. , — It is easy to see that there exists a function N(e) which depends 



only on e, such that g > 1 for all n > N(e). Thus, for all n > iV(e), we have 

H(k \ v) > m — £i(n, e, m) 

in which 



(98) 



ei(n, m, e) = 2(m + —)h(n, e) + 2\/2(m + —)mh(n, e) + mP(V n £ e J. (99) 
In 2 V mz 



Corollary 15 . 71 now implies that ei satisfies the condition l|17fl . which completes the proof. 



□ 
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A Technical Issues 

In this appendix, we present some technical lemma's which were used. The first lemma concerns the 
reduction of a trace to a smaller Hilbert space. 

Lemma A.l. Consider two finite dimensional Hilbert spaces Ti A , Ti B and the product Hilbert space 
TL = Tt A £g> Tt B . Consider two density matrices p A and p B over TL A and Tt B respectively and let 
p = p A ® p B . Then for any measurement operator F acting on TL, there exists a measurement 
operator F' pB on Tt A which depends only on p B , such that 

Tr n Fp = Tv n AF' pB p A . (100) 

In addition, for any set {F q } q ^Q of measurement operators on H such that 

E^ = 1 «> ( 101 ) 

we have that J2 q eQ F ' q ,P B = lnA 

Proof. Let ua and n B denote the dimension ofH A respectively H B . For any four-tuple of integers 
{iaJaJbJb) such that 1 < i A ,jA < n A and 1 < i B ,j B < n B , define e iA j A ^ B j B = e A AJA ® ef B Jb , 
where e A A j A is the ua x ua matrix which has a 1 at position {i Al j A ) and zeroes elsewhere and e B 
is defined similarly. Any square matrix X on H can be decomposed as 

(mjx,»bjb) 

Thus defining 

= E < iA E • v ;';;: |V m) 

iA ,3 A IB ,3B 



we see that indeed Tr-uXp = Tr AX' pB p A . The fact that X' pB is a nonnegative operator can be seen 
by taking p A — \a)(a\ for any normalized state \a) in 7i A and noting that 

(a\X' pB \a) = Tr A X' pB \a)(a\ = Tr H X\a)(a\ ® p B > 0. (104) 

The last claim in the lemma can be verified by noting that (X + Y)' pB = X' pB + Y pB and l' pB = 1-^a , 
since Tr B p B = 1. □ 
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The following result gives a bound on the success rate of any quantum measurement which must 
distinguish between two quantum states. In addition, it shows that performing collective measure- 
ments on random sequences of these two states does not improve the success rate on individual 
positions. 

Theorem A. 2. Consider two pairs of density matrices (Pa,Pa), for a = 0, 1. Denote by S a the 
set of eigenvalues A of the matrix p Q a — p\ and define the quantity A = max a= o ! i X^Aes I'M- ^ x an 
integer N and a string a G F^. Let a source emit a sequence of N states, given by a string g, where 
g[i] =0 when p.^ was emitted and g[i] = 1 otherwise. Suppose that at each position both possible 
states have equal probabilities to occur, i.e. P( g [i] = 0) = P{g[i] = 1) = |. Consid er an arbitrary 
measurement on the system which gives guesses h for g for m < N different positions. Then the 
probability that the m guesses are all correct is bounded by 

Success < {\ + ^A)"\ (105) 

Proof. We assume that a = 0. With the addition of some bookkeeping arguments the proof given 
below can be seen to hold for all strings a. We model the emission of the source as a state in 
H c C$> H s , in which H c is the classical space consisting of bit-strings in F^ and H s = H® N is the 
state space for the emitted quantum states. Without loss of generality, we shall assume that the 
m positions for which the guess h is supplied are the first m positions. Correspondingly, we write 
g' G F™ for the first m bits of g. The measurement determining the guess h and the subsequent 
announcement of g' can be described by the POVM 

{(h,g'),ILC®F h }, (106) 

since the measurement on the quantum states is independent of the announcement g' . The proba- 
bility of success thus reads, using Lemma 15.51 

^success = 2" m TlF g'Pg'> ( 107 ) 

where 

m 

p S 9l =2 m ~ N ®P g . [k] ®(p,+P2f N - m . (108) 

k=l 

Splitting H s = H® m <g) H rest and using Lemma IA.1I to perform the trace over H rest , we obtain 
^success = TrT m , in which the trace runs over iJ® m and T m is given by 

T m = 2- 1 F 9'P S 9'- ( 109 ) 

Consider the linear space W spanned by words over the alphabet {F° , F 1 , p° , p 1 }. For every word 
w = W\W2 ■ ■ ■ f2m, we define the normalized word Af(w), which reorders symbols Wi such that each 
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F a stands to the left of each p b , but that otherwise leaves the ordering invariant. For example, 

Af(F°p 1 F 1 P °) = F°F 1 p 1 p°. (110) 
For every normalized codeword of the form 

p v W _ _ _ p v l m ]p w l 1 ] _ _ _ pU>lm] (111) 

we define the corresponding matrix M.(w) — F' v p w . These operators can be extended to the complete 
linear space W by simply linearizing. We recursively define elements in W by Wq = and 

Wj = (F°p° + FVyj-i = ((F° + F X )\(p a + P 1 ) + (F° ~ F l )\{P° - P l ))W 3 -x. (112) 



It is not hard to see T m = 2- m M{N(W m )). Write W m = (A + A 1 ) m , where A = {F a + F 1 )^(p° + 
p 1 ) and Ai = (F° - F 1 )^ - p 1 ). For any v S F™, we define the element A v = A^A^ . . . A„ [m] . 
We shall compute Tr M.(A V ). Without loss of generality, we shall assume that v — (0, ... 0, 1, ... 1) 
with d(v,0) — s. Using Lemma lA.ll to perform the trace over the first m — s positions, we are left 
with 

TrM(A v ) = J2 eM2- s TrF;V - p 1 )®*, (113) 

where F% = EreF™- s ( F ™)'( i (p o +p i )) ® m -s and where e(w) = (-l)^ 1 "* ) is a ±1 valued function. 
Pass to a basis for which p° — p 1 is diagonal and let F!^ be F^ in this basis. Note that we have 
E wgF s — ljjs and that each F!^' is a measurement operator, which means that all the diagonal 
elements da of Y1wew s e(w)F^' have norm \da\ < 1. In particular, this means 

\TiM(A v )\<2- s A s . (114) 

We can thus compute, summing Tr M.(A V ) over all v, 

TrT m <2- m (l + ^)"\ (115) 



which proves the claim. 



The following two results are standard bounds on the tails of binomial distributions. 



□ 



Lemma A. 3. Let p, r and t be positive numbers such that 0<r<p<p + t<l. Let n r and 

n p be two positive integers and define the set V — {(i r ,ip) € No x No | i r + i P > {p + t)n}, where 
n = n r + n p . Then 



J2 (/)( 7 )p lp (l~p) np - lp r l -(l - r) n ^ < e- 2tn . (116) 
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Proof. For simplicity, we define q = 1 — p, s = 1 — r, k = \(p + t)n\ and write 

s= ^2 ( n A( nr )p i P(l-p)np- i P r ir( 1 _ r )n r -ir 

Then for any x > 1, one has 

s ^ £(i r ,i„)ev (™ p )(";)p^(l-p)"»'-^a;^-V v (l-r)"-- i ^ i -- fe 
< Eo^^ii,^ (« ; )(» ; y,(l- p )»,-,r-(l-r)— 
= ^r(g + +«;)»' < (<? + pas)** (a + ra) Tlr < j^fa+pz)"* 

where we have used s + rx < q + px in the last inequality. Fixing as = > 1, we obtain 



(117) 



(118) 



S < 



i V \P +t ( q ) q ^ t 



Define the function 



It is easy to see that 3 is C°° on [0, q], so we may employ Taylor's formula to get 



9it) = g(0) + tg'(0) + / g"(u)(t - u)du. 



(119) 
(120) 

(121) 



Notice that 51(0) = g'(0) = and g"(u) 
from which the statement follows. 



{p+u)(q-u) 



< -4 for any u S [0, q]. Therefore g(t) < -2t 2 

□ 



Corollary A. 4. Let p, r and t be positive numbers such that < r — t < r < p < 1. Let n r 

and n p be two positive integers and define the set V = {(i r , in) € N x N | i r + i p < (r — t)n}, where 



n = n r + n p . Then 



< e 



-2t 2 n 



(122) 



Proof. This follows immediately from Lemma I A. 31 by making the substitutions r — ► 1 — r, p ^ 1 — p 
and recalling that (™) = („" J. □ 

This next result is a classic result which follows directly from the shape of the logarithm. 

Lemma A. 5 (Jensen). Consider real numbers a±, . . . a m and b%, . . .b m and suppose that < a% < 1, 
bi > and YlT=i a i = 1- TTien 

m m 

£ log 2 h < log 2 ai&i. (123) 

i=l i=l 
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Lemma A. 6. Let /i > be a strictly positive real number. Let y be a random variable taking values 
in a set y and let {a y } y< =y be a set of \y\ real nonnegative numbers such that ^2 y< zya y < fi. Let q 
be a strictly positive number and define the subset S C y by 

X = {yey\a y < m P y (y). (124) 

Then P y (X) > 1- i. 

Proof. Assume to the contrary that P y (y\X) > - . Then 

J2 a «>w J2 P y (y) = wP(y\x)>n, (125) 

yey yey\x yey\x 
which is a contradiction. □ 

B Error Correcting Codes 

Consider two integers which satisfy 1 < k < n and let G be a k x n binary matrix with linearly 
independent rows. Define the set S{G) — {w E F 2 | w = vG for some v E F?;}, which is a linear 
subspace of F 2 of dimension k. Letting do — ^^geStG) d(g,0) be the the minimum weight of strings 
in 5(G), we say that the set S(G) is a (n, k) linear code with minimum distance da- For any such 
matrix G the map Encc ■ F§ — > F 2 which sends v — ► vG is an inclusion from F 2 into F 2 and can 
be used to encode messages in Ff; into strings in the larger space F£ . The intuitive idea of an error 
correcting code is to use the redundancy in this encoding to protect any encoded string from bitflips 
in a small number of positions. This is usually done by means of minimal distance decoding, that 
is, for any string s E Fjj, one defines Decc(s) E F% to be a string s org that minimizes d(s org G,s). 
Let t be any positive integer satisfying 2t + 1 < da and let e E F£ be an arbitrary string with 
weight d(e, 0) = t. Since d(Enc(s org ), Enc{s' org )) = d((s org 6 s' org )G,0) > da > 2t + 1 whenever 
s rg 7^ s 'orgi we see that we must have DecG{Enc(s org ) e) — s org for any message s org E F|. We 
thus see that the decoding scheme functions correctly whenever the number of bitflips which have 
occurred on the encoded string does not exceed t max — [ rfG 2 ~ 1 J and we correspondingly say that the 
code S(G) is an error correcting code which can correct i max errors. 

It can be shown that there exists a binary (n — k) x n matrix H for which Hg — if and only if 
g E S(G). This matrix is called the parity check matrix of the code S(G). For a given x E F£, we 
call s = Hx the syndrome of x. Notice that whenever two strings x, x' share the same syndrome s, 
we have H (x x') — Hx Hx' = s s = and hence x Q x' E S(G). We can exploit this fact by 
defining a decode function Dec s G : F£ — > F£ which computes Dec s G {y) = x for any x which satisfies 
Hx = s and d(y,x) — min{d(y,x') | Hx' = s}. Using the same arguments as above, it can be seen 
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that for any error string e with d(e, 0) < t max , we have Dccq x {x ffi e) = x. This fact was used to 
prove that Alice and Bob share the same secret key at the end of the protocol if ds^ (g, h) < S-p + e. 

The next basic results give some minimal bounds on the efficiency of error correcting codes and 
were used to establish the worst-case asymptotic rate of key generation H18|) . 

Lemma B.l (Gilbert- Varshamov). For any strictly positive integers n,r,t which satisfy 

2t / \ 

i=0 ^ ' 

there exists a linear (n, n — r) code which can correct t errors. 

Proof. We will construct a n — r x n generator matrix G of a code which has minimum distance d 
which satisfies d > 2t + 1 and can hence correct t errors. Set v% to be an arbitrary vector from ¥ 2 
which has weight 2t + 1 and iteratively choose vectors vi such that for every i the set {vi, . . . ,Vi} 
is linearly independent and all the nonzero vectors in span({«i, . . . , i>j}) have a weight of at least 
2£ + 1. For any i, this is possible if there are still vectors in ¥ 2 outside the spheres of radius 2t 
around the 2 l_1 codewords in span({ui, . . .Vi}). Since each sphere of radius 2t contains Xh=o CD 
points, (|126|l implies that we can construct v\,... , u n _ r in this way. The claim immediately follows 
if we let Vi, . . . , v n - r be the rows of G. □ 

Lemma B.2 ([12, Corollary 9]). For any < fi < | and for any integer n, we have 

L/mJ 



J2(l)<2 nH ^\ (127) 



fc=0 

where H 2 {p) is the binary entropy function ^(m) = — (jtiln/i + (1 — /i) ln(l — /i)). 

Combining the previous two lemma's gives us the following asymptotic expression of the Gilbert- 
Varshamov bound. 

Corollary B.3. Fix < 6 < \. Then for every n there exists an (n, n — r) error correcting code 
that can correct [Sn\ errors for some r which satisfies 

- < H 2 {25). (128) 
n 

Lemma B.4. Fix three positive integers r, n and d m i n and consider an arbitrary rxn binary matrix 
F with linearly independent rows. Let T be the set containing the r rows of the matrix F . Suppose 
that 2 n ~ r ~ m+1 > 53i=o" 1 (") ■ Then there exists a set W containing m vectors in ¥ 2 such that the 
set W U T is linearly independent and for every v in the set span(VF U !F) \ span(jF), the inequality 
d(v) > dmin holds for the weight d(v) — d(v,0). 
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Proof. Let S be the set of vectors v in which have weight d(v) < d m i n . Then 15*1 = X^=o" 1 (")• 
We inductively define a sequence of sets Wi for < i < m with the property that Wi contains 
i distinct vectors from FJf, the set Wi U T is linearly independent and d(v) > d m i n for every 
v e span( Wi U \ span(^ r ) . Let Wo = which can easily be seen to satisfy the above properties. 
For any < i < to, let W t = span(Wi U T). Since there are 2™- M > 2 n - r - m+1 > \S\ distinct 
cosets of in FJ;, there is at least one such coset which has empty intersection with S. Let w i+i be 
a representative of such a coset and define Wj+i = {w^+i} U Wi. It is easy to see that if Wi satisfies 
the properties mentioned above, then this also holds for W, + i and the set W m can thus indeed be 
defined. This completes the proof. □ 
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